Privacy Law and Policy Reporter
Letters to the editor
Privacy as constraint, or privacy as strategy variable?
Stephen Wilson provided a valuable analysis of the impact of the private sector privacy legislation on business enterprises’ IT function (see (2003) 10(1) PLPR 11 and 10(2) PLPR 32). Among other useful facets was the five way taxonomy of data collection into overt, automatic, generated, acquired and ephemeral (Pt 1 at 13).
What disappointed me, however, was the extent to which the approach adopted was so heavily compliance driven. As a result, opportunities to position privacy as a strategic factor were missed.
For some organisations, privacy is just a constraint; but others need to take a more constructive approach.
For example, sensitivity of data is defined in the Privacy Act 1988 (Cth) (the Act); but sensitivity is actually highly relative, and arises for some people in respect of many items of data not contemplated by the wording in the Act.
Another issue is the application of the OECD Openness Principle. Stephen proposed that the internal Privacy Management Strategy should express the rationale for particular data being needed, and the basis for claiming that particular stances are ‘reasonable and practicable’.
But the Act amendments fall far short of the OECD Guidelines in this area (as in so many others). Companies can try to invoke the ‘generally’ qualifier that is conveniently embedded in NPP 5.2. But they may often find that affected individuals (not to mention representatives of and advocates for the public interest, auditors and the Privacy Commissioner) may only be satisfied when they are provided with a carefully reasoned argument, such as the one Stephen proposed be in the closed privacy management strategy.
Another concern is the statement that ‘It is currently rare in e-business for anonymous transactions to be practicable’. The law requires not just that companies ‘analyse the practicability’, but also that they provide individuals with the option ‘wherever it is lawful and practicable’.
I argued the case for adopting a strategic approach to privacy in a conference keynote over seven years ago (when PLPR was just starting Volume 3). See <www.anu.edu.au/people/ Roger.Clarke/DV/PStrat.html>. Yet companies are still treating privacy as a threat, when many of them should be seeing it as an opportunity. l
Roger Clarke, Principal, XamaX Consultancy.
Stephen Wilson replies ...
Roger Clark wishes for a less compliance driven approach to handling privacy in the context of IT management. I would agree with him, yet experience tells me that the typical harried, resource strapped enterprise IT shop can only give priority to must-haves. And compliance with the Privacy Act is a must.
I am afraid that more work needs to be done before privacy advocates can credibly claim that privacy represents a genuine opportunity for business. We’ve heard this sort of claim before in previous business cycles, in respect of ISO 9001 or more recently, information security standards. I wish it were otherwise, but creating sustainable competitive advantage out of quality or privacy or security remains elusive for most organisations.
We would all welcome more case studies, and perhaps return on investment analyses, to bolster the case that ‘privacy is good for business’. Most businesses are still catching up with the proposition, while they attend to myriad other priorities. In the current environment, the compliance-driven approach commands more attention. It’s easier right now to see that ‘privacy is good for staying in business’. l
Stephen Wilson, Chief Security Specialist, SecureNet.